A important safety flaw has been disclosed within the Subsequent.js React framework that could possibly be doubtlessly exploited to bypass authorization checks beneath sure circumstances.
The vulnerability, tracked as CVE-2025-29927, carries a CVSS rating of 9.1 out of 10.0.
“Subsequent.js makes use of an inner header x-middleware-subrequest to forestall recursive requests from triggering infinite loops,” Subsequent.js said in an advisory.
“It was attainable to skip working middleware, which may enable requests to skip important checks—equivalent to authorization cookie validation—earlier than reaching routes.”
The shortcoming has been addressed in variations 12.3.5, 13.5.9, 14.2.25, and 15.2.3. If patching is just not an choice, it is advisable that customers forestall exterior person requests that include the x-middleware-subrequest header from reaching the Subsequent.js software.
Safety researcher Rachid Allam (aka zhero and cold-try), who’s credited with discovering and reporting the flaw, has since revealed additional technical details of the flaw, making it crucial that customers transfer shortly to use the fixes.
“The vulnerability permits attackers to simply bypass authorization checks carried out in Subsequent.js middleware, doubtlessly permitting attackers entry to delicate net pages reserved for admins or different high-privileged customers,” JFrog said.
The corporate additionally mentioned any host web site that makes use of middleware to authorize customers with none further authorization checks is weak to CVE-2025-29927, doubtlessly enabling attackers to entry in any other case unauthorized assets (e.g., admin pages).
Source link